An “Egregious” Industrial Plant Attack

December 15, 2017

Vaughan Emery

There’s no joy in writing this blog. I’ve spent the night searching for the latest news about the Triton malware that’s been discovered in an – at this point unnamed – industrial plant believed to be located in the Middle East, perhaps Saudi Arabia, according to Reuters.

‍

While this isn’t the first attack on industrial processes (there was Stuxnet in 2010, and Crash Override in 2016) it is the first reported attack on the safety systems that monitor processes to protect life and property from industrial accidents.

‍

“Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted,” Reuters reports. “It marks the first report of a safety system breach at an industrial plant by hackers, who have in recent years placed increasing attention on breaking into utilities, factories and other types of critical infrastructure, cyber experts said.”

‍

Use of the word watershed in the Reuters headline “Hackers halt plant operations in watershed cyber attack” is another way of saying that a line has been crossed that threatens to make the world a more dangerous place. That line was that the hackers attacked the very safety mechanisms – in this case Triconex safety-instrumented systems (SIS) – intended to protect plants, and their employees, and populations beyond, from industrial accidents.

‍

Reuters reports that Triconex, a product of Schneider Electric, is “widely used in the energy industry, including at nuclear facilities, and oil and gas plants.” Its role is to detect safety issues and issue alerts, if something goes wrong, and as a last resort safely shut down a process or plant as a safety measure – which is how the Triton attack was discovered.

‍

The breach, first announced by FireEye, was reportedly discovered when bad actors used malware to gain control of a workstation running Triconex, and were probing it in what was believed to be an effort to see how the safety system could be reprogrammed to ignore warnings, paving the way for attacks on a plant. To the credit of Triconex, Reuters reports it was the probing and attempted reprogramming that caused some controllers to go into a fail-safe mode, which caused related processes to shut down and caused the plant to identify the attack.

‍

Wired, in its coverage, spoke with Rob Lee, the founder of security firm Dragos Inc., which observed the malware operating in the Middle East about a month ago, and had since been quietly analyzing it, before FireEye revealed its existence publicly. Lee told Wired that targeting of safety systems makes Triton in some respects the most dangerous malware ever encountered.

‍

“It’s the most egregious we’ve seen in its potential impact,” Lee told Wired. “Even the hint of doing this is awful.”

‍

Sergio Caltagirone, head of threat intelligence with Dragos, told Reuters: “This is a watershed. Others will eventually catch up and try to copy this kind of attack.”

‍

No doubt more information will be released in the coming days and weeks as more is learned about how Triconex works, and how it can best be protected against. But the immediate take-home lesson is that industrial processes, including the vast area of industrial IoT must be protected as strongly and as swiftly as possible.

‍

Those of us working within IoT security have long known that too many IoT devices are unprotected or poorly protected. And that the result is a vast attack surface across the very processes that are becoming ever more mission critical to our daily lives. IoT is woven into how we deliver water, create and distribute electricity, operate our factories, and do so much more. Protecting the IoT is essential to protecting our way of life.